Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Virtual machines have become a core tool in data centers. They allow load balancing and separation between users as well as allowing different users to run different operating systems and releases on same hardware.
However, the existence of multiple virtual machines on the same hardware presents security risks. For example, in one security risk scenario, an attacker may get a virtual machine co-located with a target, e.g., using cloud cartography methods such as those disclosed in T. Ristenpart et al., “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds,” in Proceedings of the 16th ACM Conference on Computer and Communications Security, 2009, pages 199-212. The attacker may employ side channel attacks to extract data from co-located processes. These side channel attacks take advantage of information leakage due to the sharing of physical resources.
Such example attacks may take advantage of processor data caches and may enable extraction, for example, of encryption/decryption keys. See C. Percival, “Cache Missing for Fun and Profit,” BSDCan 2005; D. A. Osvik et al., “Cache Attacks and Countermeasures: The Case of AES,” Topics in Cryptology—CT-RSA 2006, The Cryptographers Track at the RSA Conference 2006. In an example attack, data streams are extracted from shared memory or caches by timing cache accesses to detect evictions. Such methods do not require access to any common resources, however shared resource access makes such methods much more powerful. See C. Percival, “Cache Missing for Fun and Profit,” BSDCan 2005. Other researchers have found that caches provide information on keystroke timing to extract passwords and/or count users. See R. McMillan, “Researchers Find a New Way to Attack the Cloud: ‘Side-channel’ attack techniques could lead to more serious problems,” COMPUTER WORLD, Sep. 3, 2009.